Karachi-based Bank Islami acknowledged on Sunday of suffering a security breach of its payment cards system but denied reports of having lost an alleged $6 million in what local press have called the biggest cyber-attack in the country’s history.
The bank said it detected the attack on Saturday morning, October 27, when internal security system identified “abnormal transactions” coming from Pakistani debit cards outside the country’s borders.
According to statement Bank Islami posted on social media [1, 2], bank officials said they immediately shut down the bank’s access to international payment networks.
The bank claims that it returned all the funds that had been withdrawn from customers’ accounts, which it only estimated at around 2.6 million Pakistani rupees, or, roughly$19.500.
But the bank disputes figures from international card processors that attackers made off with $6 million.
Subsequentially, after the Bank was cut off from the international payment scheme, the Bank was advised by international payment scheme that some transactions were made on international ATMs allegedly using Bank’s issued cards. However, no details have so far been shared with the Bank as to how such transactions were processed and validated when such transactions never landed on Bank’s system. These transactions, of approximately $6 million as claimed by international payment scheme, are not acknowledged by the Bank since the Bank was actually logged off from the international payment scheme at the time.
But local newspaper PakistaniToday is reporting, citing anonymous sources, that the bank may know more than it’s letting up.
“There is a clear breach of information at BankIslami’s part and it is being speculated that a digital copy of BankIslami customer’s credit card information was leaked to hackers,” the source told the newspaper.
“The transactions mainly originated from Brazil and the US, [and] the bulk of the transactions can be traced back to Point of Sale (POS) at Target Stores,” the source added.
The anonymous source’s information was confirmed by a statement issued by the State Bank of Pakistan (SBP), the country’s central banking entity and regulator, in an advisory to its own clients and fellow banks.
The SPB confirmed that a fellow bank’s cards were used “at ATMs and POS in different countries” and that it “temporarily restricted usage of its [own SPB] cards for overseas transactions” as a response to that breach, according to the SPB advisory obtained by ZDNet.
Bank Islami may be in denial because if the bank is proven to have acted too late in stopping the attack, it is on the hook for the $6 million alleged funds, which will come out of its pockets, and not its customers.